In today’s network reliant enterprise environment, the definition of a perimeter has taken on additional meaning. No longer is a company’s perimeter strictly defined by a fence along the property line or an interior perimeter defined by the walls of a building.
The network perimeter extends beyond the fence, into emergency callboxes in parking lots, cameras watching the fence, external building intercoms, and VOIP phones inside lobby vestibules. All of these are access points into a network, and if not properly secured, can be vulnerable to a malicious individual or group attempting to gain access your company’s data.
Both physical perimeter security and network security are built on the basic principles of the 5 D’s: Deter, Detect, Delay, Deny, and Defend. These can be broken down for the sake of both physical and logical implementations of network security.
5 D’s of Network Security: Deter, Detect, Delay, Deny, and Defend
- Deter – Deterrence is the initial psychological battle with a potential intruder. Often the sight of a perimeter fence, especially one with cameras, is often enough to prevent any attempt. In our case, all external network devices should be mounted using security screws. Terminals should be placed inside an enclosure and all MDFs/IDFs secured, preferably with multifactor Access Control.
- Detect – From a physical perspective there are usually measures in place to detect breaching attempts with sensors or video analytics, but it is not always apparent on the network until it’s too late. Network health monitoring tools like Razberi Monitor™ can identify unusual traffic, denied traffic, and denied attempts. These breach attempts are then reported to network or security monitoring tools like Splunk, SolarWinds or an organization’s video management system (VMS) like Milestone.
- Delay – If an intruder is persistent, basic obstacles may not be enough. It may be necessary to delay them by adding additional obstacles to allow time for discovery (Detect) or cause the intruder to quit. Additional obstacles may include: adding height to a perimeter fence, spikes or razor wire, and physical installation of locking network jacks and/or port locks for unused switch and USB ports. Locking jacks also provide the added benefit of preventing stray disconnects caused by other trades.
- Deny – If an intruder is neither delayed nor discovered, access prevention is required. An example could be the addition of locks and card readers on perimeter doors.Within the network, Deny can be achieved via a couple of means. One example is binding a network port to a known MAC (device) address. This method can prevent an intruder from using the same network connection by removing an existing device while activity is blocked and reported. If the device being attached tries to use MAC spoofing, it will be prevented by validating PoE Mode and Class attributes. Another example is to disable unused ports, so any device connected will be denied a connection.
- Defend – A company’s security force or local police are typically responsible for a breach of the physical perimeter once detected. In the network/computing realm, detection of a breach may rely on advanced anti-viral solutions, isolating and informing staff of malicious code that may have skirted the front-line perimeters.
Many organizations do not have the means to hire a CCNA/CISSP certified employee due to the expense, expertise, and time to hire required. CCNA/CISSP certified employees are responsible for deploying managed switches, creating and enforcing cybersecurity best practices such as: MAC binding, port shutdown, service restrictions, network segmentation, whitelisting, and password complexity.
Razberi’s CameraDefense™ automatically enables these best practices and empowers non-technical employees to deploy cybersecurity measures simply. CameraDefense provides the ability to natively report, either on premise or in the cloud, the health of your network and integrates into popular network monitoring tools and VMS. Additionally, Razberi server products are protected by Cylance AI, a powered anti-virus which allows your security system to be protected at all levels.
Employing all 5 D’s can significantly reduce your cyber risk by substantially mitigating both physical and logical breaches and preventing unwanted network access.